The National Privacy Commission has moved to put a limit on the amount of fines to be imposed against data privacy violators to further promote organizational accountability and compliance with the Data Privacy Act (DPA).
This developed following an online public hearing conducted by NPC on Tuesday, March 22 where the updated draft Circular on Administrative Fines was presented before its stakeholders. The updated draft includes consolidated comments from previous hearings which started last April 2021.
Specifically, an administrative fine may be imposed based on the annual gross income of PICs or PIPS within the range of 0.25 percent to 3 percent for grave violations and 0.25 percent to 2 percent for major violations. One of the notable changes in the current draft is the proposal to include a ceiling for the imposition of administrative fines. As such, the provision limiting the total imposable fine to not more than (P5 million was inserted.
Such ceiling applies, whether the infraction results in single or multiple violations arising from a single act of personal information controllers (PICs) or personal information processors (PIPs). The NPC clarified that the single act pertains to a per processing activity basis and not per data privacy principle or data subject right violated.
In computing the imposable fine, the NPC will take into consideration the number of data subjects affected; the degree of negligence, or the intent of the PICs or PIPs that contributed or resulted in the violation; the categories of personal data affected; and the nature, duration, and severity of such infraction, among others.
Meanwhile, to determine the annual gross income of the erring PICs or PIPs, the NPC may review and require the submission of audited financial statements filed with the appropriate tax authorities for the immediately preceding year of the violation, the last regularly prepared balance sheet or annual statement of income and expenses, and such other financial documents as may be deemed relevant and appropriate for the purpose.
If a particular PIC and PIP has not been operating for more than one year, the base for computing administrative fines will be the entity’s total gross income at the time the violation was committed. PICs and PIPs who refuse to pay the administrative fines may be subject to a Cease-and Desist Order, and other processes or reliefs the NPC is authorized to pursue as provided under Section 7 of the DPA, and/or appropriate contempt proceedings under the Rules of Court.
Privacy Commissioner John Henry D. Naga said the Circular on Administrative Fines aims to promote organizational accountability and compliance with the DPA by providing an optimal deterrence, as further explained by the economic study of the University of the Philippines Law Center.
In consideration of the comments from the public, the NPC also revised the scope to include all PICs or PIPs under the jurisdiction of the Data Privacy Act of 2012 (DPA).
Naga also told attendees of the public consultation that the draft circular provides a fair and reasonable system of fines. “The National Privacy Commission has consistently issued proactive measures for personal information controllers and personal information processors to comply with the law. The Data Privacy Act was enacted in 2012 and upon the constitution of the Commission in 2016, it has been actively promoting, educating, and assisting the stakeholders in their common endeavor in complying with the law. By now, we expect PICs and PIPs to have incorporated in their respective processes and implemented necessary measures, to protect data subjects and uphold data privacy rights,” Naga added.
The Commission is open to receive comments from its stakeholders regarding the draft circular until April 6, 2022.